Colm MacCárthaigh <c...@stdlib.net> wrote:
>
> This thread concerns the vulnerabilities uncovered in the fragment
> attacks. One of those vulnerabilities is that domains can be rendered
> unresolvable; even when DNSSEC is enabled. That seems like something
> to take seriously.
I am incresingly doubtful that EDNS buffer sizes greater than the MTU are
a good idea.
Apart from avoiding fragments, are there other ways to mitigate this
attack? Perhaps by adjusting the way the recursive server handles lame
authorities, perhaps by making it more eager to re-fetch the delegation
from the parent authorities?
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
